Add authoritative DNS on ns1/ns2 and finalize clan config

- Knot authoritative DNS: ns1 primary, ns2 secondary serving cnx.network,
  buildfor.life and cnx.email over TSIG-secured zone transfer (modules/dns)
- Knot listens publicly + over ZeroTier; firewall opens port 53
- Complete clan inventory: name/domain, admin SSH key, control as the
  zerotier controller, tor on all nixos machines
- Enable age yubikey/fido2-hmac secret plugins

machines/ns1/configuration.nix

@@ -1,7 +1,20 @@
+{ ... }:
+let
+  domains = import ../../modules/dns/domains.nix;
+in
 {
   imports = [
-
+    ../../modules/dns/authoritative.nix
   ];
 
-  # New machine!
+  # ns1 = primary (master): holds each master zone file, notifies ns2 and
+  # allows it to pull the zone via AXFR/IXFR.
+  services.knot.settings.zone = map (d: {
+    domain = d;
+    file = ../../modules/dns/zones + "/${d}.zone";
+    "zonefile-load" = "whole";
+    "zonefile-sync" = "-1";
+    notify = [ "ns2" ];
+    acl = [ "acl_ns2" ];
+  }) domains;
 }

machines/ns2/configuration.nix

@@ -1,7 +1,16 @@
+{ ... }:
+let
+  domains = import ../../modules/dns/domains.nix;
+in
 {
   imports = [
-
+    ../../modules/dns/authoritative.nix
   ];
 
-  # New machine!
+  # ns2 = secondary (slave): pulls every zone from ns1 and accepts its NOTIFY.
+  services.knot.settings.zone = map (d: {
+    domain = d;
+    master = [ "ns1" ];
+    acl = [ "acl_ns1" ];
+  }) domains;
 }